Death of the enterprise VPN - if remote access is not secure what comes next?

VPNs are the backbone of enterprise remote access and yet their security limitations are starting to pile up. The problem is that the very thing that once made them so useful, network access, is now their biggest weakness. As the 2014 attacks on retailers Target and Home Depot painfully illustrate, this architecture can easily be exploited by attackers armed with stolen credentials to move around networks from within in ways that are difficult to spot until it’s too late.

What looked like a VPN to employees and partners turned out to be an open door for the attackers and the rest is data breach history.

“The VPN hasn’t changed in 20 years,” says Zscaler’s engineering sales director Mark Ryan as he sets out the case for something called Private Access, his firm’s reinvention of the VPN in a form it believes is more suitable for a world of remote access to cloud applications.

“The biggest change has been moving from IPsec to SSL. It is an extension of my network and once users are authenticated they have access to the network,” adds Ryan. “This presents a fundamental risk to security. From the security perspective this isn’t the same as a VPN because we are not placing the user on the network.”

The traditional VPN defence plan of deploying VLANs with subnets with firewalls to monitor movement between them offers a solution of sorts but can quickly become an expensive headache to manage across larger organisations. More likely it won’t be. Factor remote access to cloud applications and the problems accelerate with traffic piped from data centre to cloud in a manner Zscaler’s advertising blurb likens to “flying from San Francisco to London by way of Buenos Aires.”

Outwardly at least, Zscaler’s Private Access looks much the same as a traditional VPN and can, the company claims, be bought as a direct replacement for it. Instead of running a VPN client, the PC runs a Private Access client that intercepts addresses it works out are aimed at an Intranet or cloud application, directing these through Zscaler’s global cloud and onwards to a ‘connector’ server that sits inside the customer’s datacentre or the cloud itself.

None of this affects the authentication service or technology being used while the critical aspect of VPNs – end to end encryption- is maintained. Private Access is across Zscaler but the firm does not have access to the data moving across it. This isn’t a VPN but it behaves like one. No underlying network is exposed because the applications and the network are separate things, nor is there a routable inbound connection for attackers to exploit.

Perhaps the biggest attraction is the ability offer controlled third-party access. A partner using this sort of VPN is never accessing the network, only the application governed by policy.

Isn’t this overkill? Not if customers are adopting cloud applications, says Ryan, who is also dismissive of the idea that conventional VPNs can be secured using VLANs and firewall policies.

“That is not what people do because of the complexity of managing those policies. Very quickly you realise that everyone is on VLAN A and has access to the network.”

Zscaler Private Access - customers

Zscaler Private Access was in development for around a year with trials running for the last six months at a number of large enterprises, only a small number of which Zscaler is at liberty to mention. These are German firm MAN Diesel & Turbo and software analytics firm SAS Institute.

“Zscaler Private Access allows me to give users access to a single application, and not to my entire network. This granular application control is also prefect for the growing demand of contractors and partner access,” said MAN’s IT Infrastructure Architect, Tony Fergusson.

For SAS, the issue had been the inherent complexity of Network Access Control.

“Ensuring granular, application-layer access to authorized users is just part of the product, and it was much easier to roll out than either VPN or NAC,” commented enterprise architect Brian Wilson.

Are there any limitations of Zscaler’s approach? It will be argued that it’s overkill for smaller networks that can understand and secure their networks and don’t have complex multi-site datacentres with adjacent clouds. For modest installations, VPNs will still work fine. A more general issue is that Private Access implies that customers are moving to host applications in the cloud rather than the datacentre. If they want to do that then a new remote access architecture makes sense. If they are content with datacentre provision, then it might be less compelling.

Another issue will be price. Zscaler was not able ot confirm this during the launch of Private Access but said it would clearly undercut traditional VPN gateways, load balancers and backhaul.

Ultimately, the future of VPNs will look more like Private Access because it simply makes more sense for large enterprises in terms of cost, management and security. The hurdle to this is simply the heavy investment organisations already have in VPNs. This evolution will take time and some businesses will see better authentication and endpoint control as a short-term fix for the weaknesses of VPNs exposed in high-profile hacks.